Especially in cost-relevant transactions, such as in online banking or in connection with online auctions, the following relevant information must be transmitted:    a) the receiver account that receives a credit (Receiver Account Number) or the purchase object for which a bid is being offered;    b) the amount that should be credited to the receiver or the amount of the bid (Ordered Amount);    c) the sender account to be debited (Sender Account Number, can be omitted in auctions);    d) the natural person who has initiated the transaction and who validated the transaction data.
In many data transmission protocols currently employed the information under a), b) and c) is inadequately protected. Information under d) is insufficiently secured in any of the known protocols.
A reliable transaction protocol must set up a fixed link from the initiator, e.g. individual (for example bank client) and the data to be transmitted. Through attacks, such as for example phishing, receiver account number and potentially also the amount are modified, e.g. falsified in the transactions initiated by bank clients. Through malware (software) on the computer of the individual, the amount and the destination account number can also be modified. Malware controlled from a distance, moreover, enables the attacker to be the initiator of a transaction and no longer the bank client himself.
Known is the so-called Homebanking Computer Interface (HBCI) developed by several German bank groups since 1996 and standardized by resolution of the Zentrale Kreditausschuss (ZKA). In the HBCI an interface is provided for a chip card-based online transaction protocol. The protocol was developed further by the ZKA into the Financial Transaction Services (FinTS). In HBCI/FinTS TAN (Trans Action Number) lists are omitted and, instead, a security-checked chip card reader and a chip card, also checked for security and in the possession of the bank client, are employed. Through the HBCI a tap-proof communication channel between the client computer and the bank server is established. The transaction data are signed with the private key of a key pair of the bank client. This key is securely stored in the chip card. The transaction data and the applied digital signature are transmitted to the bank server. However, malware on the client computer enables the transaction data to be changed before these are signed using the chip card.
In the TAN generator method mobile tokens are utilized which under time control can sequentially generate a TAN electronically. The TAN generator is supplied by mail to the bank client. Misuse is possible, especially if the generator falls into the hands of other individuals.
It has already been proposed to secure data transmissions against fraud or falsification by utilizing biometric methods. In classic biometric systems two phases are differentiated: the registration phase (enrollment) in which the future authentication is prepared with the aid of a biometric feature and the verification phase proper in which a biometric sample in digital form is taken.
However, in the authentication the problem is encountered of having to protect individuals against misuse of their biometric features. The private sphere of the individuals must be protected. The non-secured transmission of information regarding biometric characteristics must therefore be excluded. The encrypted transmission of such information is also not accepted by many individuals since, after the decryption at the receiver, biometric features are again available in recognizable form. Attempts at counteraction have been made thereby that biometric information is irreversibly modified by applying a one-way function (hash function) and stored only in this form at the receiver. Storage of biometric features at the receiver of the data, however, is complex and expensive and not desirable for reasons of data protection. The biometric features, moreover, must be in unchanged form before applying the one-way function. Since the typical user of methods of secured data transmission does not have precise knowledge of the procedural method, even the one-time use of unencrypted biometric feature information is not accepted by many individuals. In addition, the receiver of the data would have to ensure that he irreversibly deletes the unencrypted biometric feature information.